Last week, following publication, in November 2016, of the National Institute of Standards and Technology (“NIST”) cybersecurity guide for small businesses, entitled the Small Business Information Security: The Fundamental, the United States Senate Committee on Commerce, Science, and Transportation introduced “The Main Street Cybersecurity Act” to require NIST to provide guidance and resources to small businesses to improve their cyber security preparedness and infrastructure. The proposed legislation recognizes previous reports finding that 60% of small businesses fail within six months of suffering a data breach and is mindful that they are the engine that drive the economy, employing more than half of the labor force in the United States.
Accordingly, the Main Street Cybersecurity Act (“Act”), seeks to ensure that small businesses have access to support systems, including a voluntary cybersecurity framework designed to meet the capabilities of small enterprises that have the same needs and duties as their larger counterparts to implement reasonable measures (if not best practices) to protect their confidential and sensitive data. In addition to mandating that NIST “disseminate resources to help reduce small business cybersecurity risks, and for other purposes,” the Act is intended to educate small businesses with respect to cyber vulnerabilities to allow them to undertake remedial measures to safeguard their customers’ personal identifying information and deter cyber threats. Resources to be made available to small businesses include “guidelines, tools, best practices, standards, methodologies, and other ways of providing information.” The Act requires, among other things, that the resources disseminated are usable by small businesses and vary with their nature and size, meaning that, within reason, they are basic, simple and involve the use of off-the-shelf technologies to defend against common cybersecurity risks.
The Act seeks to ensure that sufficient resources are made available to small businesses to allow them to use the NIST framework, which was codified by the Senate in 2014 under the Cybersecurity Enhancement Act. As many small businesses believe they do not have the means to establish meaningful cybersecurity measures, the Act aims to provide them with access to information that will permit them to address cyber threats.
As noted in a prior blog, cyber-related studies make plain, small businesses are regularly exposed to cyberattacks from which they may be unable to recover. The implementation of reasonable, cost-effective policies to protect sensitive data, along with informative employee training are important tools that small businesses can use to reduce the risk of data breaches that proves fatal and should be considered by all businesses, irrespective of size. If enacted, the Act may make it easier for small businesses to safeguard their sensitive data. But, regardless of whether it is enacted, small businesses will continue to have a duty to establish reasonable policies and procedures to protect their customers’ personal identifying information.